[Senate Hearing 118-327]
[From the U.S. Government Publishing Office]
S. Hrg. 118-327
THE FEDERAL AND NON-FEDERAL ROLE
OF ASSESSING CYBER THREATS TO AND
VULNERABILITIES OF CRITICAL WATER
INFRASTRUCTURE IN OUR ENERGY SECTOR
=======================================================================
HEARING
BEFORE THE
SUBCOMMITTEE ON
WATER AND POWER
OF THE
COMMITTEE ON
ENERGY AND NATURAL RESOURCES
UNITED STATES SENATE
ONE HUNDRED EIGHTEENTH CONGRESS
SECOND SESSION
__________
APRIL 10, 2024
__________
[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]
Printed for the use of the
Committee on Energy and Natural Resources
Available via the World Wide Web: http://www.govinfo.gov
__________
U.S. GOVERNMENT PUBLISHING OFFICE
55-889 WASHINGTON : 2025
-----------------------------------------------------------------------------------
COMMITTEE ON ENERGY AND NATURAL RESOURCES
JOE MANCHIN III, West Virginia, Chairman
RON WYDEN, Oregon JOHN BARRASSO, Wyoming
MARIA CANTWELL, Washington JAMES E. RISCH, Idaho
BERNARD SANDERS, Vermont MIKE LEE, Utah
MARTIN HEINRICH, New Mexico STEVE DAINES, Montana
MAZIE K. HIRONO, Hawaii LISA MURKOWSKI, Alaska
ANGUS S. KING, JR., Maine JOHN HOEVEN, North Dakota
CATHERINE CORTEZ MASTO, Nevada BILL CASSIDY, Louisiana
JOHN W. HICKENLOOPER, Colorado CINDY HYDE-SMITH, Mississippi
ALEX PADILLA, California JOSH HAWLEY, Missouri
------
Subcommittee on Water and Power
RON WYDEN, Chair
BERNARD SANDERS JAMES E. RISCH
CATHERINE CORTEZ MASTO MIKE LEE
JOHN W. HICKENLOOPER JOHN HOEVEN
ALEX PADILLA BILL CASSIDY
Renae Black, Staff Director
Sam E. Fowler, Chief Counsel
Sarah Kessel, Professional Staff Member
Justin J. Memmott, Republican Staff Director
Patrick J. McCormick III, Republican Chief Counsel
Jack Holt, Republican Junior Counsel
C O N T E N T S
----------
OPENING STATEMENTS
Page
Wyden, Hon. Ron, Subcommittee Chair and a U.S. Senator from
Oregon......................................................... 1
Risch, Hon. James E., Subcommittee Ranking Member and a U.S.
Senator from Idaho............................................. 2
WITNESSES
Turpin, Terry, Director, Office of Energy Projects, Federal
Energy Regulatory Commission................................... 4
Wright, Virginia, Cyber-Informed Engineering Program Manager,
Idaho National Laboratory...................................... 14
Aaronson, Scott, Senior Vice President, Security and
Preparedness, Edison Electric Institute........................ 27
ALPHABETICAL LISTING AND APPENDIX MATERIAL SUBMITTED
Aaronson, Scott:
Opening Statement............................................ 27
Written Testimony............................................ 30
Responses to Questions for the Record........................ 52
Risch, Hon. James E.:
Opening Statement............................................ 2
Turpin, Terry:
Opening Statement............................................ 4
Written Testimony............................................ 7
Responses to Questions for the Record........................ 46
Western Governors' Association:
Letter for the Record........................................ 54
Policy Resolution 2022-05.................................... 55
Wright, Virginia:
Opening Statement............................................ 14
Written Testimony............................................ 16
Responses to Questions for the Record........................ 48
Wyden, Hon. Ron:
Opening Statement............................................ 1
THE FEDERAL AND NON-FEDERAL ROLE
OF ASSESSING CYBER THREATS TO AND
VULNERABILITIES OF CRITICAL WATER
INFRASTRUCTURE IN OUR ENERGY SECTOR
----------
WEDNESDAY, APRIL 10, 2024
U.S. Senate,
Subcommittee on Water and Power,
Committee on Energy and Natural Resources,
Washington, DC.
The Subcommittee met, pursuant to notice, at 2:30 p.m. in
Room SD-366, Dirksen Senate Office Building, Hon. Ron Wyden,
Chair of the Subcommittee, presiding.
OPENING STATEMENT OF HON. RON WYDEN,
U.S. SENATOR FROM OREGON
Senator Wyden. The Subcommittee will come to order, and
today we are going to be looking at critical infrastructure
sector issues, particularly threats and cybersecurity. I also
want to thank the Ranking Minority Member. We have had really
good cooperation with the staff on this and that's how it
should be.
The dams that generate our hydropower are no exception to
the serious set of threats that we are facing in cybersecurity,
generally. Countries like China and Russia present a
significant national security concern, as they have the ability
to shut down core functions of our society, and even cause
death, by hacking critical infrastructure.
Today, the Subcommittee is being told by the Federal Energy
Regulatory Commission, which licenses 2,500 dams, that the dams
responsible for well over half of the non-federal power
generation have not received a cybersecurity audit. And
currently, there is no plan to complete these missing audits
any time soon. FERC has told my staff--we want to thank them
for their cooperation and the forthcoming way in which they
have handled this--they have told my staff that they simply
don't have the ability to review the remaining dams within the
next decade. A big part of the challenge is that FERC has just
four cybersecurity experts to oversee 2,500 dams. Today, there
are no minimum standards, no audits of a majority of dams, and
bad cybersecurity. That is inviting cybersecurity trouble in
the Pacific Northwest.
As the Chairman of the Subcommittee responsible for dams, I
don't want to sit around and wake up to a news report about a
small town in the Pacific Northwest getting wiped out because
of a cybersecurity attack against a private dam upriver. FERC
cybersecurity rules only apply to dams that are remotely
managed over the internet. This practice enables companies to
save money by not requiring an operator on-site. Those cost
savings for the dam operator lead to significantly greater
cyber risks. In addition, there are no mandatory cybersecurity
requirements for dams only administered by on-site operators.
To make matters worse, FERC cybersecurity rules have not been
updated since 2016, they aren't specific enough, and are mostly
about paperwork and checking boxes. FERC doesn't have the
resources it needs to be an effective regulator of the
cybersecurity of private-sector-run dams. This is a problem for
the Congress to address.
Now it's time for Congress to step up. The seriousness of
cyber threats to critical infrastructure has been clear for
years. Companies and agencies across the Federal Government
have been slow to respond to the cyber threats, which are the
result of a combination of factors, including weak regulation,
no audits, and no accountability. For example, last year I
asked the Department of Homeland Security Cyber Safety Review
Board to look into the theft of senior government officials'
emails from Microsoft servers. DHS published the board's report
last week, which documented numerous cybersecurity problems
that seriously undermine U.S. national security. Microsoft
software is used widely across the U.S. Government and
industry. And if you look at these practices, which we have
seen for years now, they are undermining America's cyber
defenses and creating a serious threat to national security.
One of the central issues is that the United States does
not have a more coordinated approach to cybersecurity. The
cybersecurity of each part of our society is regulated in a
different way, and some end up not being regulated at all. Some
have rules. Some have the honor system. My own view is, this is
not good enough. So there is no wonder that there are broad
parts of our government and society with awful cybersecurity,
no effective rules, and no cyber safety regulatory efforts. The
Congress needs to address cybersecurity broadly rather than
playing whack-a-mole one industry or agency at a time.
Unfortunately, we can't solve the biggest problem in this
Subcommittee. We can accelerate updating FERC's cybersecurity
standards, making sure those standards are effective and apply
to all dams. That will help protect the United States from a
serious national security threat.
I look forward to working with our witnesses and all
members of the Committee to deal with this scope and scale of
an enormous challenge in our hydroelectric systems and others
so the Congress is equipped to develop targeted responses.
Before I yield to Senator Risch, I want the record to note, and
I guess I talked for about seven minutes, and I didn't hear
anybody talk about is this a Democratic approach or a
Republican approach. This is an American approach. And I intend
to work very closely with the Ranking Minority Member, my
friend from the Pacific Northwest, Senator Risch.
OPENING STATEMENT OF HON. JAMES E. RISCH,
U.S. SENATOR FROM IDAHO
Senator Risch. Well, thank you, Mr. Chairman. You and I
have served together for many years, not just on this
Committee, but also both of us are senior members of the
Intelligence Committee, and cybersecurity has certainly been in
our wheelhouse. With that in mind, it is only fitting that we
meet to discuss the two topics as pertinent as hydropower and
energy security and resiliency in this Committee meeting.
I have here, as a witness, Ms. Virginia Wright, who is the
Cyber-Informed Engineering Program Manager at the Idaho
National Laboratory. Glad to have her with us. But also, Mr.
Chairman, you should know that Mr. John Wagner is here, who is
the Director of the Idaho National Laboratory. The INL, as most
people know, is the flagship laboratory, not only in the United
States, but the world and the universe for nuclear energy.
Interestingly, what most people don't know is that the INL is
quickly becoming also the flagship laboratory for cybersecurity
matters, and as big as the nuclear issue is there and has been
since shortly after World War II, the budget for cybersecurity
is increasing. And within a few years, or maybe even less, the
budget for cybersecurity at that lab is going to overtake the
budget for nuclear. So the Idaho National Laboratory is a big
deal for Idaho, it's a big deal for America, and certainly,
it's a big deal in the field of cybersecurity.
You know, it's really impossible to overstate the
importance of dam infrastructure in Idaho. Dams have allowed us
in Idaho to transform desert into fertile farmland, account for
flood control, and transport commodities far beyond Idaho, and
are critical to meeting our growing energy demands. Hydropower
accounts for over half of our in-state electricity generation
and contributes significantly to affordability. Idaho boasts
the fourth lowest electric rates in the country, thanks in
large part to hydropower, which, of course, dams are critical
to. We've got an array of federal, local, and private dams
ranging from a couple of kilowatts to the Brownlee Dam,
operated by Idaho Power, on the Idaho-Oregon border, which is
the largest generation capacity of any privately owned dam in
America. Besides being a clean, renewable, and affordable
resource, hydropower is also integral to our security and
resiliency. Hydro facilities provide dispatchable, always-on
power with the ability to ramp up in the case of extreme
weather events and stabilize the grid. Additionally, many
hydropower facilities are black-start capable, meaning they can
quickly come back online after an incident without the need for
external power from the grid. Hydropower fulfills a
backstopping role in so much of our energy security. It is
vital. We best ensure that hydroelectric infrastructure itself
is secure.
In Idaho, we are proud to be home to experts working
diligently to that end at the Idaho National Lab. My Committee
colleagues have heard me discuss at length INL's role as our
flagship nuclear energy research institution. But what a lot of
people don't realize is, as I have said, is that cybersecurity
is increasing dramatically. INL performs cutting-edge energy
system research and development, ensuring cyber and physical
threat information in conducting cyber and physical security
assessments. I am pleased to have with us today, as I said, an
important person that is involved in that from the lab. She and
her team at the INL, in partnership with DOE, pioneered the
CIE, the cyber-informed engineering concept to build cyber and
safeguard practices into infrastructure from the beginning. CIE
and other related practices are now being implemented across
critical infrastructure development and improvements. I look
forward to learning more about this important work--work that
is, as we have underscored already, critically important to our
infrastructure and how we can improve its application to the
resiliency of our hydropower infrastructure.
Thank you, Mr. Chairman.
Senator Wyden. Thank you very much, Senator Risch, and it's
good to have Idaho in the house today.
Senator Risch. It is.
Senator Wyden. It is very welcome, and I can just tell you,
Ms. Wright, the staff has already been very complementary of a
number of things going on there at the Idaho National
Laboratory. So we look forward to working closely with you.
We've got three really good witnesses today.
Terry Turpin, Director of the Office of Energy Projects at
FERC. He started his career at the Commission in 1998 as a
staff engineer, where he was responsible for the review of
natural gas pipeline applications. If I read in detail all of
his accomplishments, I would have you here until breakfast
tomorrow, but we are glad you are here Mr. Turpin. Welcome.
As I say, Virginia Wright, Program Manager for Cyber-
Informed Engineering at the Idaho National Laboratory. She
leads implementation of the National Strategy for Cyber-
Informed Engineering at the Department of Energy. So, she's
already been recognized by her colleagues nationally and we
wanted to note that.
Then we have Scott Aaronson, Senior Vice President of
Security and Preparedness, Edison Electric Institute. Scott
leads the EEI Security and Preparedness team, where he focuses
on industry security and resilience initiatives and
partnerships between government and electric companies. And I
think it's well known that we work very closely with you and a
cross section of environmental and labor leaders to get the
clean energy tax credits, and we very much appreciate your
contributions there at EEI.
So let's go right to our witnesses. We will start with you,
Mr. Turpin, and I think we have a general agreement, everybody
is going to try and stick to five minutes, and it's going to be
a little crazy after a while because we have some votes and
whatnot, but let's just get all our witnesses in before
anything happens in the way of votes, and we will go with Mr.
Turpin, Ms. Wright, and Mr. Aaronson.
Mr. Turpin, welcome.
STATEMENT OF TERRY TURPIN, DIRECTOR, OFFICE OF ENERGY PROJECTS,
FEDERAL ENERGY REGULATORY COMMISSION
Mr. Turpin. Thank you very much, sir.
Chairman Wyden, Ranking Member Risch, and members of the
Subcommittee, good afternoon. My name is Terry Turpin, and I am
Director of the Office of Energy Projects at the Federal Energy
Regulatory Commission. The Office is responsible for taking a
lead role in carrying out the Commission's activities in
reviewing infrastructure projects. This includes the licensing,
administration, and safety of non-federal hydropower projects,
the authorization of interstate natural gas pipelines and
storage facilities, and the authorization of liquefied natural
gas terminals. I appreciate the opportunity to appear before
you today to discuss the Commission's program regarding
cybersecurity for dam structures associated with hydropower. As
a member of the Commission staff, the views I express in my
testimony are my own and not necessarily those of the
Commission or of any individual Commissioner.
There are hydropower projects in nearly every U.S. state
and on most major river systems of the U.S., with more than 100
gigawatts of electric generation capacity installed.
Approximately 57 gigawatts of this generation are owned and
operated by non-federal parties, such as private companies,
private utilities, municipalities, electric cooperatives,
private citizens, Indian tribes, and state agencies. Under the
Federal Power Act, non-federal hydropower projects must be
licensed by the Commission if they are located on a navigable
waterway, occupy federal land, use surplus water from a federal
dam, or are located on non-navigable waters over which Congress
has jurisdiction under the Commerce Clause. In accordance with
the Federal Power Act, the Commission currently regulates over
1,600 non-federal projects, which includes about 2,500 dams.
The Commission's dam safety and security program includes a
focus on ensuring that the wide range of dam owners and
operators both understand the cybersecurity measures needed to
protect their control systems and are also aware of potential
threats and vulnerabilities. In recognition of this, the
Commission has developed cybersecurity measures drawn from a
risk-based, descriptive model approach, which allows for
flexibility in regulating such a diverse set of entities. These
measures were built on guidelines issued by the National
Institute of Standards and Technology, approaches developed
through the North American Reliability Corporation's standards
development process, and informed through outreach to the
regulated industry. These measures allow dam operators and
owners the ability to implement a defense-in-depth strategy
based upon unique risks and constraints that they face, and
enable them to adapt to changes in the cybersecurity
vulnerability and threat landscape. Dam owner/operators were
required to implement these measures by the end of calendar
year 2018.
Commission cybersecurity specialists audit dam operators'
efforts regarding vulnerability and security assessments,
documentation of cyber assets and associated criticality
designations, implementation of cybersecurity controls, and the
posture of on-site security. The audit process helps focus
owner/operators' efforts on what cybersecurity measures will be
most effective for their critical features to prevent a failure
path that could lead to downstream consequences. Commission
security specialists also monitor classified intelligence,
open-sourced information, and unclassified government issuances
from the FBI, the Cybersecurity and Infrastructure Security
Agency, Homeland Security Information Network, and the
Electricity Information Sharing and Analysis Center. This
allows staff to discern pertinent security-related events,
incidents, and trends, as well as to ensure that FERC licensees
are made aware of potential threats and vulnerabilities. By the
end of Fiscal Year 2024, staff of the security branch will have
performed 271 physical security inspections and completed
cybersecurity audits covering the owner/operators responsible
for 37 percent of the installed non-federal hydropower
capacity. By the end of Fiscal Year 2025, we will have
completed audits covering 70 percent of that installed
generation capacity.
That concludes my remarks, and I would be very happy to
answer any questions you might have.
[The prepared statement of Mr. Turpin follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Senator Wyden. You almost set the land speed record for
getting your testimony in, and I thank you.
Senator Risch. Very much appreciated.
Senator Wyden. Yes, indeed.
Ms. Wright, welcome.
STATEMENT OF VIRGINIA WRIGHT, CYBER-INFORMED ENGINEERING
PROGRAM MANAGER, IDAHO NATIONAL LABORATORY
Ms. Wright. Chairman Wyden, Ranking Member Risch, and
members of the Subcommittee, thank you for the opportunity to
testify on a topic critical to our nation's national security.
My name is Virginia Wright, and I am a program manager at the
Idaho National Laboratory, one of the 17 U.S. Department of
Energy National Laboratories. From our decades-long work in
building and testing more than 50 nuclear reactors in the high
desert west of Idaho Falls, INL has developed a deep
understanding of the cybersecurity and engineering needed to
secure systems and provide critical function assurance.
INL, sponsored by the Department of Energy, has developed
an approach to cybersecurity which starts at the critical
functions of the system and the technology that performs those
functions. This methodology, called cyber-informed engineering
(CIE), asks the engineers who design and operate infrastructure
systems to develop engineered controls which can mitigate the
worst consequences that could be caused, even if adversaries
penetrate digital defenses and gain control of operational
technology. CIE is a method readily applicable to ensure that
the modernization of the hydropower fleet incorporates
designed-in cyber protections which complement the analog
nature of the engineering inherent in today's facilities. The
U.S. hydroelectric fleet generates 240 billion kilowatt-hours
per year, and is very diverse in size, operational
configuration, automation level, and importance as baseload.
Hydroelectric facilities range in generating capacity from less
than one megawatt to the U.S.'s largest, Grand Coulee Dam,
which generates more than 6,800 megawatts. Fewer than 400
facilities supply more than 90 percent of U.S. hydropower.
Additionally, 87 percent of the U.S. fleet is over 30 years
old, with rotating machinery and physical components that have
lasted far beyond the expected service life.
The largest facilities are operated by the U.S. Army Corps
of Engineers, Bureau of Reclamation, Tennessee Valley
Authority, and large commercial utilities--organizations with
well-resourced cybersecurity programs. Many of the remaining
small and medium-sized facilities are operated by entities with
few resources to invest in vulnerability analysis and threat
detection, but they all face the same threat landscape.
Significant investments by Congress have allocated more than
$753 million to programs to maintain and advance the existing
hydropower fleet. These improvements will result in increased
generation and grid services and they will also add digital
technology used for automation and interconnection of systems
within hydropower facilities, increasing the fleet's exposure
to cyber threats and vulnerabilities.
In testimony before the House Select Committee on January
31, U.S. officials provided stark warnings about the
capabilities and intent of hackers linked to the People's
Republic of China. In her testimony, CISA Director Jen Easterly
stated, ``This is truly an `everything, everywhere, all at
once' scenario.'' Given the rising awareness that U.S. critical
infrastructure is being actively targeted by nation-state
actors with the ability to gain covert access and the intent to
cause catastrophic harm, a broadly capable cybersecurity
program is necessary, but not sufficient. The Federal
Government must provide aid and incentives for critical
infrastructure operators to proactively find and eliminate
avenues for cyber adversaries to cause harm. This is especially
true for small organizations who operate infrastructure with
the potential for damaging impacts. Cyber-informed engineering
can be used to engineer-out adversary opportunities and
engineer-in protections from sabotage in both existing and
newly upgraded infrastructure.
While the Federal Government can provide financial
resources and the expertise of the national laboratories with
their ready stockpile of capabilities, defending against
``everything, everywhere, all at once'' will require everyone,
both federal and non-federal, to join forces. To address some
of the most critical needs for assessing cyber threats and
vulnerabilities of critical water infrastructure in our energy
sector, INL has developed a series of urgent recommendations.
Further recommendations and details about each are in my
written testimony. Number one, use Cyber-informed engineering
to add ``secure by engineering design'' protections from the
impact of cyberattacks on the existing fleet and in designs for
the future. Number two, support vulnerability assessments on
commonly used technology within the hydroelectric fleet. Number
three, develop hardening guidance to address well-known
weaknesses in digital systems used in hydropower. And number
four, increase the pace and the financial support for threat
hunting across the hydropower fleet.
I appreciate the opportunity to testify today, and I want
to thank you for your attention to this very important issue
for our nation. I look forward to your questions.
Senator Wyden. You will have them momentarily.
[The prepared statement of Ms. Wright follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Senator Wyden. Mr. Aaronson.
STATEMENT OF SCOTT AARONSON, SENIOR VICE PRESIDENT, SECURITY
AND PREPAREDNESS, EDISON ELECTRIC INSTITUTE
Mr. Aaronson. Thank you, Chairman Wyden.
Chairman Wyden, Ranking Member Risch, members of the
Subcommittee, I appreciate the opportunity to testify before
you today on this important topic on critical infrastructure
security, and specifically, those interdependencies among the
electricity, water, and dam sector. You are going to hear some
very consistent themes across the three witnesses. My name is
Scott Aaronson. I am Senior Vice President for Security and
Preparedness at the Edison Electric Institute, or EEI. EEI is
the trade association representing all of the nation's
investor-owned electric companies. These companies serve more
than 250 million Americans and represent five percent of the
United States' gross domestic product. We are fond of saying
it's the first five percent of GDP since all other sectors rely
on our product. And that number is only growing. With the
proliferation of data centers for artificial intelligence and
fueling our digital economy, more manufacturing and industrial
processes relying on electricity, adoption of electric vehicles
across the transportation sector, and electricity increasingly
used for home heating, America's electric companies are more
important than ever to our nation's security, economic
competitiveness, and the lives and safety of our customers and
your constituents. This is a responsibility EEI's members take
very seriously.
In addition to the extraordinary growth, the grid is also
changing. With more distributed resources, two-way flows, grid-
scale battery storage, clean energy sources, and broad
digitization enabling customer control and better visibility
into this increasingly complex system, this is an exciting time
to be a part of the electric power sector. But these changes
also can bring new risks and an evolving attack surface. As the
Director of National Intelligence Worldwide Threat Assessment
has said publicly since 2019, ``Near-peer nation-states are
targeting critical infrastructure to hold the United States at
risk at a time of their choosing.'' To address these risks, the
electric power sector uses a defense-in-depth approach that
seeks to protect our most critical assets from compromise while
also understanding that defenses are never infallible. So
resilience, redundancy, and the ability to recover are integral
to our defenses too.
This resilience comes from a diversity of resources and
systems that limit single points of failure. It also comes from
the development and exercising of plans to operate degraded or
to restart systems, known as black-start capabilities, and
perhaps most importantly, a culture of mutual assistance that
supports response and recovery against all hazards. This is
most apparent when storms and natural hazards hit, but has
grown to include cyber mutual assistance capabilities and spare
equipment sharing programs. The energy grid is one big machine
with thousands of owners and operators. This community has
found common cause to work together to address the risks posed
by both Mother Nature and man-made threats.
In addition to these resilience efforts, the electric power
sector also has a regulatory regime that includes mandatory and
enforceable cyber and physical security standards. It may
surprise the Subcommittee, but the electric power sector
strongly supports these regulatory requirements. They provide a
foundational level of security, and we appreciate Congress
codifying the concept of an electric reliability organization
in the Federal Power Act as part of the Energy Policy Act of
2005. This construct allows experts from grid operators and
other stakeholders to develop standards that are enforced by
the Federal Energy Regulatory Commission. That said,
regulations alone cannot guarantee security because security is
not a check-the-box exercise. In fact, in order to keep up with
adversaries, asset owners and operators must be more nimble and
creative than just abiding by baseline regulations. This is
where the value of partnerships is key.
In addition to my role at EEI, I also am privileged to be a
member of the secretariat that supports the Electricity
Subsector Coordinating Council (ESCC). Along with the
cooperative and public power segments of the industry, the ESCC
brings more than two dozen CEOs and leaders from across the
sector to work with senior government officials to prepare for
and respond to serious threats to grid operations. The ESCC has
been held up as a model for how critical infrastructure sectors
can partner with each other and leverage both the industry's
visibility into its systems and our operational excellence,
along with the government's intelligence gathering capabilities
and national security responsibilities. In addition to
responding to major incidents, other ESCC priorities include
securing the grid of the future and enhancing operation and
collaboration between government and industry security experts.
Fortunately, a recent example of the value of this
partnership was the Chinese state-sponsored cyber threat known
as Volt Typhoon that became public earlier this year.
Fortunately, the electric power sector had been aware of the
risk long before it made news. In fact, a small group of pilot
companies participating in the Energy Threat Analysis Center
(ETAC) had been working side-by-side with government to
understand this threat and to develop and socialize mitigation
strategies. These lessons were shared with the broader sector
through the Electricity Information Sharing and Analysis Center
(E-ISAC), showing a commitment to collective defense and
information sharing that will serve us well as the electric
power sector adapts to the new threats and challenges facing
critical infrastructure operators.
In addition to working with the government, the ESCC also
values cross-sector partnerships. While we are that first five
percent of GDP, we also rely on other sectors to support our
sector's operations and resilience. We need telecommunications
to communicate with field personnel and to ensure systems
remain in balance; transportation and pipelines to move fuel;
and water to generate steam, cool systems, and for hydropower
through dams. As you know, these resources play a critical role
in both the black-start capabilities that I mentioned earlier
and in producing energy that provides important support to grid
operations, particularly in the West. Again, EEI and its
members are deeply committed to these partnerships, regulatory
constructs, and resilient strategies, and to working together
as both the energy grid and geopolitical risks continue to
evolve.
Thank you again for the opportunity to testify today, and I
look forward to your questions.
[The prepared statement of Mr. Aaronson follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Senator Wyden. Thank you, Mr. Aaronson.
And we have five Senators here, so there's a considerable
amount of interest. We may be expecting some more, so we will
just proceed to get into questions.
Let me start with you, Mr. Turpin, and again, I thank FERC
for the cooperation that we have had. Now, you all haven't
updated your cybersecurity requirements for commercial dam
operators since 2016. And obviously, a lot has changed in
cybersecurity over the past eight years. I am of the view that
there is a need to update these requirements and incorporate
the cybersecurity best practices that generally are part of
what other federal regulators abide by. Your thoughts?
Mr. Turpin. Well, I quite agree. We issued them in 2016 as
a way to get the program started. We have been auditing
facilities, and from those lessons learned, the full intention
is to update those and incorporate the views of other agencies
and things that are always being learned in this rather dynamic
landscape.
Senator Wyden. How long will it take to do that? Could you
have that ready to go, say, in six months?
Mr. Turpin. Well, I don't think six months. We will be at
70 percent of the facilities by the end of next year, and I
think we will definitely move to update it then. In the
interim, we, of course, will be applying anything we have
learned as we move forward with all of the entities.
Senator Wyden. So how long would it take to update the
requirements? I appreciate the fact that you all want to make
progress. I just think it's important to have a clearly
understood kind of loadstar, a real focus that everybody can
abide by. I see Senator Cantwell, my partner on the Finance
Committee. We are going to have a hearing on cybersecurity and
healthcare in the Finance Committee. There may be some broad
principles, and here is the Senator from Nevada as well. We
will see some principles that will come out of that healthcare
hearing, but what goes on with dams isn't necessarily what goes
on with cybersecurity for health care. Dams and health care are
different.
So your thoughts about getting an actual target date--would
nine months work better? I don't want to go month by month, but
I do want to get----
Mr. Turpin. Sure.
Senator Wyden. I do want to get a target date for an
update.
Mr. Turpin. Yes, absolutely. And I mean, nine months would
be achievable, I think.
Senator Wyden. Good.
Mr. Turpin. We will see, over the next five months, we will
have completed 37 percent of those audits and that will be very
informative for updating and getting----
Senator Wyden. I will quit while I am ahead, nine months.
With respect to oversight, you all have really no mandatory
cybersecurity requirements for dams that aren't connected to
the internet. I am concerned about foreign spies being able to
jump the air gap and hack systems in our network, such as by
distributing spyware on thumb drives. Do you agree that U.S.
dams need robust cybersecurity defenses, even if their systems
are not connected to the internet?
Mr. Turpin. I do. We started focusing on those that were
remotely operable as a way to get the program up and running,
but I don't think it comprises the entire universe of what
needs to be protected.
Senator Wyden. All right. One last question: The Department
of Homeland Security Cyber Safety Review Board looked into the
theft of senior government officials' emails from Microsoft
servers and Secretary Raimondo and others, and my understanding
is Microsoft products were used widely in the dam sector. Is
that right?
Mr. Turpin. That is correct.
Senator Wyden. Okay. So how do we take that Cyber Safety
Review Board set of conclusions and obviously, Secretary
Raimondo and others are concerned about what the rules are
going to be, and what do we say about Microsoft and others
meeting tough cybersecurity standards coming on?
Mr. Turpin. Yes, and so, obviously, the report is of great
concern, and as it was issued last week, we are going through
it and we will be using that to inform any changes we might
make, especially as we move forward over the next nine months.
Senator Wyden. Well, consult with all of us, and we would
appreciate that.
Senator Risch.
Senator Risch. Thank you, Mr. Chairman.
Ms. Wright, I have a series of questions for you. On this
issue on dams, do you deal only with dams that generate
electricity--and I assume the vast majority of dams do some
type of hydroelectric generation--but if you have just a flood
control dam or something like that, do you still--are they in
your sphere?
Ms. Wright. So Senator, for the dams that provide
agricultural or water holdback services, there still can be
digital equipment that operate some components with those dams.
There can be communication and status indicators that are
installed on those dams. For that equipment, certainly,
methodologies like cyber-informed engineering and other
cybersecurity defenses would be appropriate. Also, as we begin
to modernize these agricultural dams to become power-producing
dams, as many of the more recent investments allow, that will
introduce a significant amount of digital technology, which
will change the risk for those agricultural dams. It is
compounded by the fact that many of these agricultural dams are
located in very rural communities who may not have access to
excellent cybersecurity services. So we will have to work on
trying to ensure that cybersecurity protections are designed-in
as opposed to reactively applied afterwards.
Senator Risch. So what percent of the dams are--ballpark,
if you can give me one--what percent are the ag type dams that
don't generate electricity? Are you able to give an estimate
there?
Ms. Wright. Senator, I am not today, but I would be
delighted to get that answer and bring it back to you.
Senator Risch. Well then, to get right down to it, how does
this work? Do the dam operators come to you? Do you come to
them? Are they subject to a regulatory mandate? Where are we on
that? Just give me a general idea of how this works.
Ms. Wright. For cyber-informed engineering, our approach is
very broad, and we would be very open to working with
hydroelectric owners and operators to apply the methodology at
their facilities. As of yet, we have not done so, but we are
eager for that opportunity. Right now, the owners and operators
have voluntary access to a number of services offered by the
Department of Energy's CESER organization, offered by DHS's
Department of Dams, and other federal entities. Those tools
include ones that allow network visibility that helps to rank
consequences of cyber threats and that inform how one might
perform an incident response activity at a hydroelectric
facility.
Senator Risch. And are there private-sector companies that
are involved in this effort also?
Ms. Wright. Yes, sir. With cyber-informed engineering we
are attempting to make every one of our developments very
public, and we have communities of practice where the private
sector learns about cyber-informed engineering and can apply
it.
Senator Risch. So can you give me any kind of an idea of
the hydroelectric dams, how many of them are now subject to the
CIE methodology? How many of them are in practice? What
percent?
Ms. Wright. Right now, not very many. However, the benefit
for the hydroelectric sector is that these dams are marvels of
U.S. engineering, and because of their age, they have older
equipment that is not subject to cyber vulnerabilities. So
there is an excellent opportunity to leverage what already
exists and build in protections as modernization brings digital
equipment into the dam sector.
Senator Risch. So Mr. Aaronson, your constituency, they are
dialed in on this, I assume? Tell me what the thought process
is.
Mr. Aaronson. Yes, they are, and we really appreciated the
Idaho National Lab's leadership on this. I think cyber-informed
engineering is a concept that absolutely reflects our vision of
resilient operations. The idea here is, digital equipment is
terrific, but we operated the grid for the better part of the
20th century without digital overlay. How can we operate
degraded? How can we operate through a cyber incident? How can
we rely on non-digital equipment to make it harder for the
adversary. You know, one of the things I talk about a lot, just
to maybe dig in a little bit, there are two ways to deter an
adversary. The first is that the attack doesn't have the
intended impact. So an adversary attacks using cyber means and
we still maintain operations. The other way that you deter is
that an attack has a consequence, which is the purview of our
Armed Forces and intelligence community, and increasingly, the
electric power sector has a responsibility to support military
installations who are supporting forward operations. So this
relationship between the electric power sector, defense
installations, the intelligence community, and using things
like cyber-informed engineering gives us a holistic approach to
deterrents where the attack doesn't have the intended impact
and our military can do its job.
Senator Risch. So back to you, Ms. Wright. How rapidly are
these dams being restructured to modernize their operations?
What's the velocity of that or non-velocity of it that's going
on, or are you able to speak to that?
Ms. Wright. I would like to bring some exact numbers back
to you----
Senator Risch. For the record, why don't you do that?
Ms. Wright. But what we were able to observe is that
federal entities have granted a number of modernization efforts
that are being carried out, both by asset owners and vendors
who supply services to the grid, many to refit these
agricultural dams to be power-producing and others to add
advanced instrumentation to dams to make them more responsive
to changing grid conditions.
Senator Risch. I am assuming--my time is up, but let me
close with this--I am assuming, well, we all know that the
Idaho National Lab is world-class in control systems,
developing operations, understanding them, and of course, that
has been going on for decades there because of their work with
nuclear. And I believe that the cyber growth there is a result
of our expertise in control systems. I am assuming your
operations bring the two of those together--the control systems
and the cyber operations.
Ms. Wright. Senator, that's right. And thank you for the
opportunity to address that. The cyber-informed engineering
methodology takes advantage of a practitioner who has been left
out of a great many of the cybersecurity conversations, and
that is the engineer who designs a system to perform in the
first place and operates the critical practices. By leveraging
the knowledge of that engineer, you can identify the
consequences that would be most impactful in the event of a
cyberattack and remediations that may be non-digital and out-
of-phase with the adversary to accomplish what my colleague has
talked about, deterring the adversary because of the lack of an
impact resulting from their activity.
Senator Risch. That is all quite helpful.
Thank you, Mr. Chairman.
Senator Wyden. I thank my colleague.
Senator Hickenlooper.
Senator Hickenlooper. Yes, thank you, Mr. Chair, and thanks
to all three of you for taking time out of your busy lives and
being here with us, appreciate that.
Mr. Aaronson, some of the emerging technologies like AI
are, obviously, offering exciting opportunities to make our
grid more efficient and more reliable--all types of
electricity. And making use of these large datasets, I think,
can help us predict demand more accurately, and also to manage
supply more effectively. To make progress on this potential,
President Biden has given an executive order on AI, including a
call for a report on how AI can improve our grid
infrastructure. So how can we test the impacts of new
modernizing technologies on the grid and ensure that those
improvements are safe, effective, and defensible? And then, the
other question, and this gets back a little bit to what Ms.
Wright was talking about--does increased reliance on AI and
other technologies introduce new security threats that we
should address on the front end?
Mr. Aaronson. I see we only have a little under four
minutes to answer this question.
[Laughter.]
Mr. Aaronson. So I will say, at a very high level, first of
all, I agree completely that artificial intelligence has a lot
of promise for grid operations. Electric companies already are
using versions of artificial intelligence. I think the
inflection point recently has been generative AI, but
artificial intelligence and machine learning has been a part of
this sector for quite some time. At the end of the day, it
helps with grid operations, it helps with efficiencies, just as
most digitization technologies do. I would say one of the ways,
as I said a second ago, and as Ms. Wright was mentioning, part
of what we need to do to negate the risk is to make sure that
we are not putting all of our eggs in the digital basket,
whether it's AI, whether it's just digital controls broadly, or
what have you. The ability to operate degraded remains
important, so let's not rely exclusively on AI, but for blue
sky operations, AI is extraordinary. This risk that comes from
artificial intelligence certainly comes from adversaries
leveraging it, and it comes from poisoning the datasets that
ultimately we would be relying on.
And so, one of the things, I think, you need to think about
when we think about artificial intelligence is, at the end of
the day, it is hardware, it is software, it is data, it is
algorithms. We know how to protect those. Now, do we completely
understand the nuances of how AI will change that threat
landscape? We do not. And so, I think we need to do this in a
thoughtful, deliberative way, but that's not to say that AI is
good or bad. AI is here and it is happening and it is valuable
to grid operations. Let's just do it in a safe, responsible
way.
Senator Hickenlooper. I agree completely. And I think
touching on that, certainly with hydroelectric generation,
oftentimes that generation is somewhat isolated, and generally,
it's not cost effective to have redundancy built into those
systems at the sufficient level.
Ms. Wright, I have to ask, do you think the NERC standards
are sufficient to protect our grid, not just from cyberattacks
but from the consequences that prey upon this vulnerability
that's unavoidable, I think, to a certain extent when you have
remote generation, which in many, not just hydroelectric, but
other types of generation can be somewhat isolated. Are the
NERC standards sufficient, or do we need additional state and
local measures as well?
Ms. Wright. Thank you, Senator.
The NERC standards are sufficient to guide the development
of a broadly based cybersecurity program that enables an asset
owner to respond to a very broad category of cyber events.
Where the Federal Government has advanced knowledge of very
specific threats, there are opportunities for the Federal
Government to offer aids that are specifically targeted to
those threat conditions where a broadly based cybersecurity
strategy may not offer sufficient protection. So in that
measure, they are both sufficient, but there are additional
capabilities that can be offered by the Federal Government.
Senator Hickenlooper. So what more should be done? What
should we be thinking? What should we be doing?
Ms. Wright. So first, identifying what is the most
important, and identifying means to protect it. We cannot, as
several of my colleagues have said, we cannot spread our
cybersecurity investment across all of the assets. Second--and
cyber-informed engineering takes advantage of this--use what is
there. Take the basic engineering that is already present at
several of the hydroelectric facilities and use it to create
defenses. And third, help focus and optimize investments that
asset owners are making by responding with very fast targeted
threat information. The ETAC program that was already mentioned
and the bulletins by E-ISAC do a great job of providing a broad
set of information to the electric sector community. Where
those can be further refined for the hydroelectric sector,
there will be amazing benefits.
Senator Hickenlooper. That's great.
I guess I am out of time. So I will yield back to the
Chair.
Senator Wyden. I thank you, Senator Hickenlooper. We are
waiting for our colleagues to return. It's a hectic day here
and I am just going to ask a couple of others and see if my
friend Senator Risch would like to as well.
Ms. Wright, you gave us a number of concrete
recommendations to improve cybersecurity, and I like the
breakdown of ``do it now'', ``you might have a little bit of
time'', and then a longer timeline. What do you think is most
important for Congress to help the small dam operators? You
know, we tried to say from the beginning, big guys are out in
front and are looking at the internet issue and the like, but
what do you think would be most helpful for the small dam
operators that are not currently subject to cyber requirements
and basically are short of resources to protect themselves?
Ms. Wright. I am going to give some very similar answers,
Senator, and thank you for that opportunity. First, the small
dam operators need targeted information. It is interesting to
talk about ``everything, everywhere, all at once,'' but in a
small cooperative or small operation where the person doing the
cybersecurity may also be in charge of the billing, developing
the resources to respond to everything is outside of their
means. So targeted threat intelligence, tools that reduce the
burden on an asset owner by being very appropriate for
application in the hydropower environment, not just something
general that applies across the wide expanse of critical
infrastructure, and finally, access to technical providers who
can aid in the installation of these solutions and potentially
for their maintenance over time.
Senator Wyden. Okay.
I think we are just trying to get everybody's location and
see. We have a vote on as well, so we will see if we can wrap
up fairly quickly.
Mr. Turpin, apropos of what Ms. Wright is doing with her
categories of recommendations: ``immediate'', ``you have a
little bit of time'', and ``maybe a bit more time'', are you
guys working on anything resembling that? I have tried to open
the debate up in terms of when you all thought you could get us
an update on the rules.
Mr. Turpin. Right.
Senator Wyden. What else are you trying to put on a
calendar here, I guess would be the way I would ask it?
Mr. Turpin. Right. So I mean, right now, the focus is on
moving through those audits and trying to understand, you know,
how to improve that. I think, as we learn things over this next
year, we will definitely be using that on the day-to-day and
not waiting for anything to, you know, to have to be done in an
update in nine months. I would echo Ms. Wright's thoughts that
it's difficult with the smaller operators, given, as you said,
the big folks are already out there running full charge. It is
when you get down to the bulk of the operators that are very
small organizations that are going to need the help. And so I
think we will be trying to look at some of the research that
Idaho has done and try to figure out how we could apply that to
help the small operators as well.
Senator Wyden. Well, let's do this. We are going to
liberate you all and I want to again thank the Ranking Minority
Member. We have worked together on so many things in this
Committee and elsewhere, and I think this is really important
work to do. I think the pace of change in the cyber area is so
extraordinary. We are going to have to have good people like
you three working with us as we examine these issues, and we
thank you.
We are going to hold the record open for colleagues to
submit written questions.
And with that, we will adjourn and thank our witnesses.
[Whereupon, at 3:23 p.m., the hearing was adjourned.]
APPENDIX MATERIAL SUBMITTED
----------
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
[all]